9#include <botan/internal/pbes2.h>
10#include <botan/cipher_mode.h>
11#include <botan/pwdhash.h>
12#include <botan/der_enc.h>
13#include <botan/ber_dec.h>
14#include <botan/internal/parsing.h>
15#include <botan/internal/fmt.h>
16#include <botan/asn1_obj.h>
23bool known_pbes_cipher_mode(std::string_view mode)
25 return (mode ==
"CBC" || mode ==
"GCM" || mode ==
"SIV");
28secure_vector<uint8_t> derive_key(std::string_view passphrase,
29 const AlgorithmIdentifier& kdf_algo,
30 size_t default_key_size)
34 secure_vector<uint8_t> salt;
35 size_t iterations = 0, key_length = 0;
37 AlgorithmIdentifier prf_algo;
38 BER_Decoder(kdf_algo.parameters())
44 AlgorithmIdentifier(
"HMAC(SHA-1)",
49 throw Decoding_Error(
"PBE-PKCS5 v2.0: Encoded salt is too small");
52 key_length = default_key_size;
54 const std::string prf = prf_algo.oid().human_name_or_empty();
55 if(prf.empty() || !prf.starts_with(
"HMAC"))
57 throw Decoding_Error(
fmt(
"Unknown PBES2 PRF {}", prf_algo.oid()));
61 auto pbkdf = pbkdf_fam->from_params(iterations);
63 secure_vector<uint8_t> derived_key(key_length);
64 pbkdf->hash(derived_key, passphrase, salt);
69 secure_vector<uint8_t> salt;
70 size_t N = 0, r = 0, p = 0;
71 size_t key_length = 0;
73 AlgorithmIdentifier prf_algo;
74 BER_Decoder(kdf_algo.parameters())
84 key_length = default_key_size;
86 secure_vector<uint8_t> derived_key(key_length);
89 auto pwdhash = pwdhash_fam->from_params(N, r, p);
90 pwdhash->hash(derived_key, passphrase, salt);
96 throw Decoding_Error(
fmt(
"PBE-PKCS5 v2.0: Unknown KDF algorithm {}", kdf_algo.oid()));
100secure_vector<uint8_t> derive_key(std::string_view passphrase,
101 std::string_view digest,
102 RandomNumberGenerator& rng,
103 size_t* msec_in_iterations_out,
104 size_t iterations_if_msec_null,
106 AlgorithmIdentifier& kdf_algo)
108 const secure_vector<uint8_t> salt = rng.random_vec(12);
110 if(digest ==
"Scrypt")
114 std::unique_ptr<PasswordHash> pwhash;
116 if(msec_in_iterations_out)
118 const std::chrono::milliseconds msec(*msec_in_iterations_out);
119 pwhash = pwhash_fam->tune(key_length, msec);
123 pwhash = pwhash_fam->from_iterations(iterations_if_msec_null);
126 secure_vector<uint8_t> key(key_length);
127 pwhash->hash(key, passphrase, salt);
129 const size_t N = pwhash->memory_param();
130 const size_t r = pwhash->iterations();
131 const size_t p = pwhash->parallelism();
133 if(msec_in_iterations_out)
134 *msec_in_iterations_out = 0;
136 std::vector<uint8_t> scrypt_params;
137 DER_Encoder(scrypt_params)
151 const std::string prf =
fmt(
"HMAC({})", digest);
152 const std::string pbkdf_name =
fmt(
"PBKDF2({})", prf);
157 throw Invalid_Argument(
fmt(
"Unknown password hash digest {}", digest));
160 std::unique_ptr<PasswordHash> pwhash;
162 if(msec_in_iterations_out)
164 const std::chrono::milliseconds msec(*msec_in_iterations_out);
165 pwhash = pwhash_fam->tune(key_length, msec);
169 pwhash = pwhash_fam->from_iterations(iterations_if_msec_null);
172 secure_vector<uint8_t> key(key_length);
173 pwhash->hash(key, passphrase, salt);
175 std::vector<uint8_t> pbkdf2_params;
177 const size_t iterations = pwhash->iterations();
179 if(msec_in_iterations_out)
180 *msec_in_iterations_out = iterations;
182 DER_Encoder(pbkdf2_params)
187 .encode_if(prf !=
"HMAC(SHA-1)",
191 kdf_algo = AlgorithmIdentifier(
"PKCS5.PBKDF2", pbkdf2_params);
199std::pair<AlgorithmIdentifier, std::vector<uint8_t>>
200pbes2_encrypt_shared(std::span<const uint8_t> key_bits,
201 std::string_view passphrase,
202 size_t* msec_in_iterations_out,
203 size_t iterations_if_msec_null,
204 std::string_view cipher,
205 std::string_view prf,
206 RandomNumberGenerator& rng)
210 const auto cipher_spec =
split_on(cipher,
'/');
212 if(cipher_spec.size() != 2 || !known_pbes_cipher_mode(cipher_spec[1]) || !enc)
214 throw Encoding_Error(
fmt(
"PBE-PKCS5 v2.0: Invalid or unavailable cipher '{}'", cipher));
217 const size_t key_length = enc->key_spec().maximum_keylength();
219 const secure_vector<uint8_t> iv = rng.random_vec(enc->default_nonce_length());
221 AlgorithmIdentifier kdf_algo;
223 const secure_vector<uint8_t> derived_key =
224 derive_key(passphrase, prf, rng,
225 msec_in_iterations_out, iterations_if_msec_null,
226 key_length, kdf_algo);
228 enc->set_key(derived_key);
230 secure_vector<uint8_t> ctext(key_bits.begin(), key_bits.end());
233 std::vector<uint8_t> encoded_iv;
236 std::vector<uint8_t> pbes2_params;
237 DER_Encoder(pbes2_params)
240 .encode(AlgorithmIdentifier(cipher, encoded_iv))
245 return std::make_pair(
id,
unlock(ctext));
250std::pair<AlgorithmIdentifier, std::vector<uint8_t>>
252 std::string_view passphrase,
253 std::chrono::milliseconds msec,
254 std::string_view cipher,
255 std::string_view digest,
258 size_t msec_in_iterations_out =
static_cast<size_t>(msec.count());
259 return pbes2_encrypt_shared(key_bits, passphrase, &msec_in_iterations_out, 0, cipher, digest, rng);
263std::pair<AlgorithmIdentifier, std::vector<uint8_t>>
265 std::string_view passphrase,
266 std::chrono::milliseconds msec,
267 size_t* out_iterations_if_nonnull,
268 std::string_view cipher,
269 std::string_view digest,
272 size_t msec_in_iterations_out =
static_cast<size_t>(msec.count());
274 auto ret = pbes2_encrypt_shared(key_bits, passphrase, &msec_in_iterations_out, 0, cipher, digest, rng);
276 if(out_iterations_if_nonnull)
277 *out_iterations_if_nonnull = msec_in_iterations_out;
282std::pair<AlgorithmIdentifier, std::vector<uint8_t>>
284 std::string_view passphrase,
286 std::string_view cipher,
287 std::string_view digest,
290 return pbes2_encrypt_shared(key_bits, passphrase,
nullptr, pbkdf_iter, cipher, digest, rng);
293secure_vector<uint8_t>
295 std::string_view passphrase,
296 const std::vector<uint8_t>& params)
307 const auto cipher_spec =
split_on(cipher,
'/');
308 if(cipher_spec.size() != 2 || !known_pbes_cipher_mode(cipher_spec[1]))
322 dec->set_key(derive_key(passphrase, kdf_algo, dec->key_spec().maximum_keylength()));
const std::vector< uint8_t > & parameters() const
BER_Decoder & decode(bool &out)
BER_Decoder & verify_end()
BER_Decoder start_sequence()
static std::unique_ptr< Cipher_Mode > create(std::string_view algo, Cipher_Dir direction, std::string_view provider="")
std::string human_name_or_empty() const
static OID from_string(std::string_view str)
static std::unique_ptr< PasswordHashFamily > create_or_throw(std::string_view algo_spec, std::string_view provider="")
static std::unique_ptr< PasswordHashFamily > create(std::string_view algo_spec, std::string_view provider="")
std::string fmt(std::string_view format, const T &... args)
std::vector< std::string > split_on(std::string_view str, char delim)
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt_iter(std::span< const uint8_t > key_bits, std::string_view passphrase, size_t pbkdf_iter, std::string_view cipher, std::string_view digest, RandomNumberGenerator &rng)
secure_vector< uint8_t > pbes2_decrypt(std::span< const uint8_t > key_bits, std::string_view passphrase, const std::vector< uint8_t > ¶ms)
std::vector< T > unlock(const secure_vector< T > &in)
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt_msec(std::span< const uint8_t > key_bits, std::string_view passphrase, std::chrono::milliseconds msec, size_t *out_iterations_if_nonnull, std::string_view cipher, std::string_view digest, RandomNumberGenerator &rng)
std::vector< T, secure_allocator< T > > secure_vector
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt(std::span< const uint8_t > key_bits, std::string_view passphrase, std::chrono::milliseconds msec, std::string_view cipher, std::string_view digest, RandomNumberGenerator &rng)